Factors for Determining Security Success

Money aside, there are other factors that can affect the security bottom line. Alongside budget, there’s also expertise, capability, and influence.BudgetWhat are organizations spending on security?There is no magic number when it comes to security spending. The amount any given organization should spend on security depends on several factors including: size, industry, risk appetite and posture, and so on. However, we have broken out the annual security spend of our survey respondents (based on organization size) to serve as a rough benchmark for other organizations. As Figure 2 illustrates:

Among mid-market organizations (250-999 employees), 46 percent are spending under $250,000 annually on security, and 43 percent are spending $250,000 to $999,999 annually. (Only 11 percent are spending $1 million or more annually.)

The majority (57 percent) of enterprise organizations (1,000 – 9,999 employees) are spending $250,000 to $999,999 annually on security. (Only 20 percent are spending $1 million or more annually, while 23 percent are spending less than $250,000 annually.)

Fifty percent of large enterprises (with over 10,000 employees) are spending $1 million or more annually on security, with 43 percent spending $250,000 to $999,999, and just seven percent spending under $250,000.

While these numbers provide some basic insight on the ratio of size of organization to security spend, it’s important to note that the size of an organization isn’t everything when it comes to security spending. The number of employees alone doesn’t necessarily correlate with the amount of revenue or funding available, or even the amount of risk that the organization faces. For example, a hedge fund may be managing billions of dollars with a small team, and a large state government agency with lots of employees may have a thin and fluctuating budget.

Another popular yardstick for gauging security spend is taking a percentage of the IT budget. However, percentages don’t help when the numbers involved are very large or very small. If a bank can afford to spend 10 percent of a billion-dollar IT budget on security, it can buy a lot more than a startup that gets 10 percent of a $50,000 IT budget to spend on security. When enterprises are setting spending levels for security, they are better off pricing out the specific security capabilities they need instead of simply picking a percentage of the IT budget at random.
Can organizations afford the security they need?An astounding eighty-four percent of survey respondents said they were able to afford some, but not all, of the minimum amount of security they needed to defend their infrastructure. Interestingly, we found that it was organizations with 1,000 – 9,999 employees that seemed to be struggling most when it comes to affording what they need – with only seven percent of these organizations saying they were able to afford all of the minimum security they needed. (See Figure 3.)

Comparatively, 19 percent of smaller organizations (250-999 employees), and 18 percent of larger organizations (over 10,000 employees) said they were able to afford all of the minimum security they needed. It appears that as organizations grow, security budgets do not always grow proportionately (until a very large number of employees is reached).“The interesting question is why it’s not the smallest organizations that most often rate themselves as being unable to afford the minimum security they need,” says Nather. “Is it because they feel they’re less of a target, and therefore don’t need as much security? Does the perceived security risk grow in relation to other growth factors of an organization? Or does an enterprise come onto the radar of attackers after it achieves a certain profile, only to be faced with a security imperative that it realizes it hasn’t met?”
Does a bigger budget increase security confidence/capability?Twenty-seven percent of organizations spending $1 million or more annually on security said they were able to afford all of the minimum security they needed, versus only nine percent of those spending $250,000 to $999,999. So it seems logical that, yes, increased spending does make some difference in security capability.However, organizations across all security budgets still feel they have further to go to implement effective security. Ninety-four percent of those spending $1 million or more annually said they have further to go, while 95 percent of those spending $250,000 to $999,999 said so, and 92 percent of those spending less than $250,000 said they have further to go.So while budget definitely helps, it’s not everything when it comes to security. What other factors come into play?Expertise
Do organizations have the appropriate staff and skills to effectively secure their environments?When asked who they rely on most for security expertise, only 37 percent said internal staff. Almost as many respondents (28 percent) said they rely most on professional networks. This speaks to the widespread skills shortage in cybersecurity. According to research by (ISC)², we have a shortage of nearly 3 million cybersecurity professionals around the world today. While it’s good that organizations feel they can turn to outside resources for security expertise, there is also critical business knowledge for which they should be able to rely on their internal security staff. This includes knowledge surrounding user experience and process design, risk analysis, and incident response.

“There are many security risk calls that need to be made, and a lot of incident response work that can only be done if you have institutional knowledge of an organization,” said Nather. “So even when you have external incident responders, they still have to rely on internal professionals who know what’s going on within the network.”We also uncovered that 34 percent of respondents are learning about security vulnerabilities and incidents that affect their organization from the media. This highlights the ongoing need for reliable journalists and expert bloggers to fill the cybersecurity situational awareness gap for many enterprises.

Among organizations with 1,000 – 9,999 employees, only 23 percent said they rely most on internal staff for security expertise. This once again speaks to the finding that organizations of this particular size are struggling most when it comes to affording the security capabilities they need.

Capability
What additional factors are hindering organizations from achieving strong security?Even if an organization has the expertise to know what it needs to do in its security program, that doesn’t necessarily mean it has the capability to execute on it. For example, conventional wisdom holds that network segmentation is a critical cybersecurity control, but a complex legacy network run by multiple providers may be too difficult and costly to disentangle with available resources.Additionally, security teams can’t always dictate their requirements to outside groups or organizations. For example, when a manufacturer has to meet dozens of country specific operational standards and regulations, it can take years for it to clear and distribute a software update for its control systems.

Capability is an important factor in the bottom line. Sometimes also referred to as “security maturity,” capability rests on fundamental functionality that organizations need before they can move ahead with more sophisticated projects. This includes (see Figure 4):

Knowing what you have and what it’s doing. Keeping an asset inventory up to date isn’t as easy as it sounds in today’s dynamic environment. Many application ecosystems are so complex that no one person may know what data is being shared, for what purposes, and through which interfaces. User audits generally uncover accounts that are critical but undocumented.

Being able to initiate (and prevent) changes to resources. If you don’t control a resource, you have to be able to get the owner to change it in a timely fashion to fix a vulnerability. Likewise, you need to make sure that changes only happen when they are approved, and that they take technology dependencies into account as well.

Understanding your security risks. What are your most critical assets, and what are they worth to criminals? You should know what kinds of threats are most likely to target your resources, how to recognize them, and how to block them. Otherwise you may spend time and money on assets that don’t matter, while ignoring the ones that do.

Being able to install and operate security technology. Once you’ve mastered the first three capabilities, you will be able to make effective use of products and services.

Which technologies are most commonly being used in security programs? These are the top 15 security technologies being used by our survey respondents:

Firewalls/Security Policy Management

Email Security

Network Malware Protection

Cloud Threat and Workload Detection/Protection

Data Loss Prevention

Encryption

VPN

Secure Internet/Web Gateway

Security Information & Event Management (SIEM)

Network Access Control

Cloud Access Security Broker

Endpoint Security/EDR

Web Application Firewall

Network Threat Detection/Network Traffic Analysis

Threat Intelligence Platforms

Taken by itself, the top 15 technologies listed above make up a substantial portfolio, requiring a large number of people with heavy expertise to configure, maintain, and monitor it all. The implication is that the personnel cost of the security bottom line is higher than many organizations realize when they are trying to plan out what they need.

Kelley Misata, PhD,
is the founder and CEO
of Sightline Security.

Sightline is a new cybersecurity company and
501(c)(3) nonprofit that is partnering with other
nonprofits to assess, prioritize, and improve their security.

Why is an organization like Sightline needed today?

Misata: Several reasons, but here are the top three. One, nonprofits don’t know what they need yet. They’re navigating cybersecurity without a map. With all the complexities in security today, that’s really difficult – particularly when you have limited time, staff, and money. And rightfully so when you are focused 200% on your mission of helping others!

Two, commercial security solutions aren’t designed with nonprofits in mind. Yes, nonprofits have similar business functions, but they also have nuances that make how they manage security different.

Three, nonprofits aren’t well versed in the language of security, and frankly security professionals can sometimes make it a bit complicated for non-security people to understand what we are talking about. Nonprofits attend security conferences and find that they can’t bridge what’s being said or align the solutions being offered to their business. Sightline’s mission is to be the bridge, translator, and advocate for these organizations. We are building assessment tools and a security community solely for nonprofits.

“In my previous role as an industry analyst, I polled security professionals on which technologies they thought CISOs needed to buy to properly secure their organizations,” said Nather. “The answers I got were really across the board – indicating that there is no standard blueprint. Some named as few as four technologies, while others called out more than 31 different tools.”“Many respondents to this poll simply said that what an organization needs depends on various factors, including what kind of data it has, what industry it’s in, whether it is geographically dispersed, and so on,” Nather continued. “If we can’t create a one-size-fits-all answer for the CISO – and the closest thing we have is a compliance standard for a tightly scoped, well-understood risk case such as PCI-DSS – then we can’t expect every organization to know with confidence what it actually needs. And if it doesn’t know what it needs, then it also doesn’t know whether it can even afford security.”While there are some technologies most organizations will choose to have, such as firewalls and endpoint security, the rest really depends on an organization’s specific situation. And it may require substantial research and a cybersecurity audit before an organization can determine what exactly it needs or can afford.

What are some of the particular security challenges that nonprofits face?

Misata: First, nonprofit businesses run very lean – meaning they don’t have time or money to waste on anything that doesn’t directly support their mission. For many nonprofits, cybersecurity is seen as expensive, overwhelming, and not needed until something bad happens.

Second, many nonprofits haven’t identified which of their assets might be attractive to attackers. So how can they know what to protect? Many nonprofits today are led down the path of spending money on solutions before understanding what they need.

Third, one of the biggest challenges for nonprofits is that no one person in the organization is squarely focused on security. Even though they’re very energized and know that security (particularly cybersecurity) is important, their attention is pulled in many directions.

The great news is that despite all of this, nonprofits are stepping up and are no longer seeing themselves as immune to an attack; they recognize that they have assets and data of value. But they often have minimal influence over vendors and service providers – they are far behind the curve. Through our work with Sightline members, we are now able to gather data and insights about the state of security in nonprofits so that we can start to bring them into the fold.

Influence
Can organizations effectively influence vendors, partners, and other third parties to provide the security they need?Third-party supply chain security is a major concern for CISOs today. With services, hardware, and software coming from dozens or hundreds of different sources, organizations don’t stand a chance when it comes to exerting complete control over their security.And it’s no surprise that the more employees and budget organizations have, the more likely they are to be able to influence vendors and partners to help them with security. For example, 86 percent of organizations with 10,000+ employees are learning about security vulnerabilities and incidents that affect their organization from the affected vendors/partners before they are public, versus just 60 percent of organizations with fewer than 1,000 employees.

And 38 percent of organizations spending $1 million or more annually on security said they were always able to add security related terms and conditions to a vendor/partner contract, versus only 17 percent of organizations spending less than $250,000 annually on security. This indicates that larger organizations with more spending power are better positioned to negotiate with outside parties.Where does this leave smaller organizations, who may be even more dependent on external partners? “Their best option may be to band together with peers to wield more influence over shared providers and suppliers,” says Nather. “For example, industry associations, regional cybersecurity forums, or information sharing and analysis centers (ISACs) enable members to organize requests and responses to security issues. Finding or creating this influence is part of the CISO’s job today, which makes networking even more important.”